nanog mailing list archives
Re: IPv6 Security [Was: Re: misunderstanding scale]
From: Timothy Morizot <tmorizot () gmail com>
Date: Sun, 23 Mar 2014 18:37:52 -0500
On Mar 23, 2014 4:45 PM, "Paul Ferguson" <fergdawgster () mykolab com> wrote:
Also, neighbor discovery, for example, can be dangerous (admittedly, so can ARP spoofing in IPv4). And aside from the spoofable ability of ND, robust DHCPv6 is needed for enterprises for sheer operational continuity.
Yes. As I said, same general sorts of risks for the most part as in IPv4. Details differ, but same general types. My point was that it's mostly FUD to wave the flag of scary new security weaknesses with no mitigations in IPv6. It's the same general sort of first hop and link security issues that exist in IPv4 with similar mitigations. Not identical, but not radically different or new either. And yes, I can't imagine any reason a large enterprise would use SLAAC instead of DHCPv6. We're certainly using the latter. But we have robust DHCPv6 available, so I don't understand why you think that's a weakness.
I haven't even mentioned spam management in v6, which will become a nightmare if people have been relying on IP BL's or similar.
Uh-huh. We've had our Internet mail gateways dual-stacked for a year and a half now. There have certainly been bumps and challenges along the way. I wouldn't want to imply it's been a cakewalk. But it hasn't been some sort of insurmountable challenge. And my organization is extremely security conscious and highly visible. You'll pardon my skepticism over claims that unspecified security weaknesses make it impossible to do what we have done and are continuing to do. Scott
Current thread:
- Re: misunderstanding scale, (continued)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Randy Bush (Mar 24)
- Re: misunderstanding scale Warren Bailey (Mar 24)
- Re: misunderstanding scale William Herrin (Mar 24)
- Re: misunderstanding scale Owen DeLong (Mar 24)
- Re: misunderstanding scale Doug Barton (Mar 22)
- Re: misunderstanding scale Nick Hilliard (Mar 23)
- Re: misunderstanding scale Paul Ferguson (Mar 23)
- Re: misunderstanding scale Timothy Morizot (Mar 23)
- IPv6 Security [Was: Re: misunderstanding scale] Paul Ferguson (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Timothy Morizot (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Dobbins, Roland (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Mark Tinka (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Timothy Morizot (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Mark Tinka (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Owen DeLong (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Paul Ferguson (Mar 24)
- RE: IPv6 Security [Was: Re: misunderstanding scale] Naslund, Steve (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Lee Howard (Mar 25)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Lamar Owen (Mar 25)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Luke S. Crawford (Mar 26)